Friday, November 16, 2007

Interested in GPL code for your closed source project?

This post does not really fit the theme of this blog as a "fix" but may may help someone avoid broken-ness in the first place.

Question: If I am writing closed source PHP software intended for distribution (not just for use as a web service, see http://radar.oreilly.com/archives/2007/07/the_gpl_and_sof_1.html), and I incorporate a few GPL components, does my software become "infected" and necessarily GPL as well?

Answer:
The answer to this question would matter to someone who has invested, or is about to invest, significant resources in what he/she may consider an original work, but who may also be tempted to incorporate freely available GPL'd software in the process.

From information you can gather from the Free Software Foundation, the answer seems simple:
"[P]eople have been wondering what the rules are when you link to some GPLv3-covered code. They're the same as they were under GPLv2: the combined work you create needs to be GPLed as well."
(from http://www.fsf.org/blogs/licensing/2007-10-18-gplv3-fud)

or from Richard Stallman:
"I once found out about a non-free program which was designed to use Readline [a library covered by GPL], and told the developer this was not allowed. He could have taken command-line editing out of the program, but what he actually did was rerelease it under the GPL."
(from http://www.gnu.org/philosophy/pragmatic.html)

and even more directly from GNU:
"You cannot incorporate GPL-covered software in a proprietary system.... A system incorporating a GPL-covered program is an extended version of that program.... [and] must be released under the GPL."
(from http://www.gnu.org/licenses/gpl-faq.html#GPLInProprietarySystem)

Despite these forceful admonitions that if A, a GPL work, is combined with B, then the resulting A+B then has to be GPL, there are places where even GNU concedes that it is not always the case that when one piece of GPL software is distributed with some other software, that the GPL will always override whatever "some other's" redistribution license might have been.

For example, the Linux kernel is GPL2 only (not "or any later version") and might never be changed by the kernel developers to GPL3 (http://radar.oreilly.com/archives/2007/04/gplv3_linux_and.html), while many other GNU programs in the GNU/Linux may soon be GPL3. If these separate pieces of inter-operable software are distributed together under two incompatible licenses (GPLv2 is incompatible with GPLv3, http://www.gnu.org/licenses/license-list.html#GNUGPL), then that would prove that just because B relies on, and is distributed with GPL'd A, does not mean that B is required to have the same, or even a compatible, license as A.

The possibility that proprietary software may in some circumstances use GPL'd parts is explored a bit on GNU's site:
"in many cases you can distribute the GPL-covered software alongside your proprietary system. To do this validly, you must make sure that the free and non-free programs communicate at arms length, that they are not combined in a way that would make them effectively a single program."
(from http://www.gnu.org/licenses/gpl-faq.html#GPLInProprietarySystem)

So, the trick to keeping an original work closed, when part of its function depends upon other GPL'd work, is to maintain separation between the projects. How this is technically achieved is not completely clear.

In the case of PHP or other interpreted languages, the "include" and "require" statements that one might use to bring in some functionality from GPL source (like a template engine or WYSIWYG editor) do not necessarily involve the same level of integration as static or dynamically linked libraries, which GNU advocates have argued clearly results in all parts combining into a single GPL whole.

Whatever technical means used in keeping separation, if you want your source to stay closed, the functions performed by the GPL software should not be the core functions of your proprietary program. For example, if you have some proprietary data manipulation software and would like to add a graph to a report it generates, it might be fine to distribute a GPL graphing script alongside your program without it necessarily "infecting" your closed license and forcing it open. However, if you were producing some closed reporting software whose primary or significant function was generating graphs, then you could not include GPL graphing software to perform that function and expect to keep your source closed.

Another requirement that I've assumed this far in the discussion is that your closed project actually is an original work, and not a "derivative" one. This is because the obligations imposed by the GPL only arise when a work is derived from the GPL work. Derivative is a term defined relatively loosely by US copyright law but involves the same analysis as with books and movies. For example, if I were to write a novel describing the adventures of Harry Potter after his 27th birthday, my work would be derived from the fictional universe created and copyrighted by J.K. Rowling, and since her work is not GPL, my work would be infringing. However, if I were to write a novel about a fictional boy who reads the Potter series and spends the rest of his life trying to learn magic, I am much more likely to have created an original, non-derivative work, deserving of independent copyright.

Whether your software that uses a GPL component is derivative of that component, therefore, depends. Were portions of your work copied from GPL source? Is your version just a wrapper around a GPL core? Or is your work a distinct entity that happens to be able to interact with GPL software?

It is possible to write non-free software that talks back and forth with GPL software, without losing your proprietary license status. The boundary is just fuzzy how close the relationship with GPL software can be, beyond which you will infect your closed project. If it is too close, the risk is that your work will be deemed legally "derivative" of the GPL one, and forced open by the GPL. But if you make sure the two projects keep their distance, talk at arms' length, and keep your project's core purpose distinct from the GPL one, then you will have created a new, non-derivative, copyrighted work and can avoid any sudden GPL "infection."

Of course, there is still much uncertainty in this area. For example, some companies refuse to write drivers for Linux because they believe (whether because of FUD or otherwise) doing so would cause the GPL to spread through their intellectual property like a disease, opening source to competitors for free, and harming themselves financially. After this analysis, I don't think that would actually be the legal outcome, but there's not a black and white answer. Perhaps with more research, there would be.

References:

http://blog.lab49.com/archives/659
http://drupal.org/node/25768
http://www.linuxjournal.com/article/6366
http://www.linuxjournal.com/article/5935
http://www.redhat.com/magazine/007may05/features/compliance/
http://tech.amikelive.com/node-14/the-gpl-myth-opensource-is-free-of-charge/
http://www.techdirt.com/article.php?sid=20070921/145609
http://radar.oreilly.com/archives/2007/07/the_gpl_and_sof_1.html
http://www.gnu.org/licenses/gpl-faq.html
http://www.gnu.org/philosophy/pragmatic.html
http://en.wikipedia.org/wiki/Open_source_vs._closed_source

Thursday, August 30, 2007

Dog Boots don't exist for a 80lb. steel spring

Review of Bark'n Boots Grip Trex

These boots display great quality materials (Vibram sole, neoprene/cordura uppers), smooth stitching and great craftsmanship. They are far better than anything else available such as Walkaboot, Ultra-Paws, Neopaws, etc). This whole shoe looks as good as any made for human children. HOWEVER, they did not fit or stay on, at least for my dog, who is like a tightly wound spring and creates a lot of traction forces when he runs and darts about.

The general design of these boots is still the same as the old version (which you may see on the clearance rack at some shops) in that the shoes only come up to the wrist, and unlike a human wrist or ankle, the width of the dog's wrist is about the same as the paw's width. That means this boot's single wrist strap holds about as well as a handcuff would on a cigar. My dog lost the first boot in less than 5 minutes after we started walking a wooded trail and continued to lose more at regular intervals.

Another problem with the fit was that the boots would flip upside down on the dog's feet so that he was standing on the uppers instead of the sole. For the boots that were not totally lost, I had to keep resetting them on his feet every 5-10 minutes. What allows the boot to twist around like this is that the inside of the boot is shaped like a cone, which allows the boot to rotate around on the foot. If the upper material was cut flatter and had more of a wetsuit stretch, it might resist that spinning better.

Relating to the boots' ability to stay on is its "side-loading" design like a slipper, as opposed to "top loading" like a human boot. Because of this and the poor holding power of just the single Velcro strap, the boot just comes off the way a tube sock would if it were pulled down to just the ball of your foot and given a few shakes. If the boot were top loading, though, the L-shape angle of ankle to foot seam would help hold the boot on, plus there could be additional lacing up the ankle as there is on a human hi-top shoe.

Another problem with the low cut is that at the back of the boot, where ankle becomes paw, the shoe suffers from "plumber butt." That is, at the L bend between ankle and foot, the shoe material hangs open in the same way that the back of your own pants opens along your rear belt loop when you bend over. This gap at the back of the shoe allows debris such as weed seeds, foxtails, pebbles, sand and other itchy poky things to fall inside the shoe where they will irritate the dogs feet worse than having no shoes at all. This could be alleviated if the upper were cut to angle up the leg a bit more before being wrapped with a second strap. A second strap could prevent things from falling inside the shoe and assist in securing the boot on the foot.

I contacted Ruff Wear about the problems of this low-top design and they said they would be coming out with another model boot that will secure higher on the ankle in Spring or Summer 2008.

After observing the performance of the Velcro in the field, I found that with a dog that runs through all kinds of grass and brush, the "sticky" side of the Velcro quickly becomes clogged with debris, reducing its effectiveness at staying fastened. I think that the straps on these boots got clogged enough to weaken the connection enough that just brushing against things on the trail and the dog's flexing caused them to release, and make the boot just suddenly open and fall off. Perhaps old-fashioned laces would be better, or else quick-adjust buckles like are used on backpack straps. Velcro in this application seems to only be good for securing dangling slack strap.

I feel part of the reason the boots stayed on so poorly was because they were not fitting properly. If you intend to buy these boots, you need to have a look at the "alternate size chart" that is buried in the FAQ on Ruff Wear's website. It is slightly different than the more common size chart that you typically see displayed near these products and it may help you pick the right size.

Also buried in their FAQ is notice that most dogs' rear feet are smaller than their front feet. Because of this, their rear feet may take a smaller size than their front feet. So, if you want to get the right fit, try on some boots at an REI store first, or order boots 2 at a time from ruffwear.com (they sell individual boots now for $15 each). Otherwise, if you just buy a set of 4 boots all the same size, as they are sold at retail, you may end up with half being too big.

Because of all these problems, I had to be dealing with boots every 5-10 minutes on the hike, instead of enjoying ourselves on it. These boots are so expensive to replace, the fact that they do not stay on as designed currently is a big problem. That said, I still would much rather have a set of boots that worked than $60 or even $100.

These did not work for me. If your dog just prances gently along, or is old and moves slowly, they might work for you.


Monday, July 30, 2007

Toyota Tacoma Seats

I came across this scanned document (click for full size view) describing the available seat types for 2005-present Toyota Tacoma while ordering waterproof neoprene seat covers from Wetokole.com.

In case Tacoma owners didn't know, the passenger seat folds flat into a table with a plastic tray for tabletop, and in between the seat back and seat bottom of the passenger seat, some models have 2 metal brackets intended for holding a baby seat.

This diagram is probably hard to find and may be useful for other modifications or accessories.

Now does anyone know whether the stock stereo has an aux audio input behind the dash somewhere for my mp3 player so I don't have to take the whole dash apart to find out?

UPDATE on aux input: No, your non-premium stock stereo does not have an aux input. But it does have a plug on the back for connecting a CD changer. The USA Spec PA12TOY adapter can plug in there, and then provide you with analog RCA stereo inputs and a native iPod dock connector so you can play your music through your car stereo.

Thursday, February 22, 2007

Recovering (or stealing) a domain registration

Most organizations don't think much about their domain registration until it either expires -- disabling their website and email -- or until the day before they intend to launch a new website at a new webhosting provider.

Often the internal employee who originally purchased a domain registration for a company no longer works there, or the web host that handled the registration as a middleman becomes defunct, and the owner is left with no record of how to access the registration. The result is that the registration is frozen, nameservers and WHOIS contacts cannot be changed and the poor mope who's been assigned the wild goose chase of regaining control of the domain name has no idea where to begin.

Where to begin is first identifying the registrar for a particular domain name. This information is in the publicly available WHOIS database. If you've never queried WHOIS, take a look at http://geektools.com/whois.php and enter any domain name. In the output, the identity of the registrar is contained in the bits of data labeled "Referral URL," "Sponsoring Registrar," or "Registrar."

Because everything these days is web-based self-service, most registrars have a self-help way to recover a password. This generally consists of going to a public page on the registrar's website (that you identified through WHOIS), entering the domain name in a form, and the registrar sending an automated message to the email address in the registrar's records that offers a way to recover or reset the password used to access the registration. Whoever can read that email will be the de facto new owner of the registration.

As a practical matter, whoever controls a domain registration controls all email and the website for that domain. Gone are the days when you needed to pay a special "registrant transfer" fee and sign papers in order to sell your registration to another party. Today, any legitimate registrar has a web interface that lets the domain owner login and change whatever data they please, including "registrant." If you want to sell your domain name, all you do now is give the username and password to the new owner, and they can login to change WHOIS info, nameservers, or even approve a registration transfer to a new registrar.

Network Solutions, the oldest registrar with the worst service and highest prices, has automated tools on their website that allow anyone on the internet to take control of a domain registration registered there, so long as that person has access to read the email of the Administrative Contact listed in the publicly visible WHOIS database. You can find Network Solutions automated login recovery page here: https://www.networksolutions.com/manage-it/forget-login.jsp

[Unlike most other registrars, at Network Solutions, total login recovery is a 2 phase project. First you have to recover the "Account ID" that NetSol arbitrarily assigns to owners, and that no one can remember. This is done by putting either the domain name or the Admin Contact's email address in NetSol's web form. Then they automatically email the Admin Contact the Account ID associated with the registration. Once you have that Account ID, you paste it into the "lost password" form, and they email the same Admin Contact a link to click that will reset the password. Whoever receives those emails can reset the password to the account, login, and do whatever they please with the registration.]

If the Administrative Contact's email address is "@" the same domain as the registration, then the organization should have an easy time reading those machine-generated emails (ask your system administrator or web host for help). However, using the same domain name as an email contact point on the registration is usually a bad idea, since if anything goes wrong with the registration (like expiration), then email at that domain name is likely to be broken and you will not be able to receive email sent to that address at the same domain name. For that reason, it's a good idea to use a permanent email address at a different domain name as a contact point on your registration, such as one from Yahoo, Gmail, or your local ISP.

In some cases, the email address for the Admin Contact that the registrar has on record may also be defunct, and if it's your job to recover that registration, you might be ready to give up at that point and start faxing blurry paperwork to Network Solutions (which, by the way, anyone, even Nigerians, can also do) to prove you're entitled to access, then waiting helplessly four days for them to get around to considering it.

An alternative is to look closely at the Admin Contact email address listed in WHOIS. If you can take over the email address marked as Administrative Contact, you can take over the entire registration of any Network Solutions registration. Seizing a registration that way means you will have control over email to the entire organization, can redirect their website traffic and more.

Because many organizations never think about their domain registration until it's expired and their entire domain is down, the contact information in WHOIS associated with those registrations is consequently not maintained accurately by registrants, either. This provides any registration recovery agent, or thief, a foothold. If the email address of the Admin Contact is one "@" a public internet service provider, you can check to see if that email address is valid anymore. If it's not, it's yours.

One can check by sending an email to that address and waiting for a bounce message or reply. Or, you can lookup the MX record of the domain name, then connect to the SMTP port on that server, and initiate a manual SMTP conversation with that server to test whether the listed Admin Contact email address is still "occupied."

For example, the Admin Contact for a particular domain name registered at Network Solutions is "swall@bigsky.net." Bigsky.net was a company bought out by bigger ISP, Amerion. Amerion continues to let subscribers (like S. Wall) have email at the original local ISP's "bigsky.net" namespace.

The organization for which S. Wall was an Admin Contact has lost its registration login info, has kept no records, and now wants to change web hosts, which requires gaining access to and modifying their domain registration.

The easiest thing we might do to resolve this is email that Admin Contact's address and see if we can get the user to cooperate and either forward or read to us whatever emails from the registrar they receive. But what if that user canceled her email service a long time ago and there's no one to answer? What if, when we email that address, we just get a bounce message with an error like "Code 550, no such user?"

If were interested in learning on a more massive scale how prevalent this condition is (Admin Contact email addresses that are abandoned), we might write a script to harvest all the Admin Contact email addresses from a list of domain names, programatically testing each Admin Contact's email address, searching for "no such user" type errors, and saving all the ones that we find in a pile labeled "vulnerable."

In our example, we're looking at the Admin Contact address "swall@bigsky.net," and after extracting the MX record of the bigsky.net domain using nslookup, host, or dig (http://geektools.com/digtool.php), we find the following MX records:
bigsky.net mail exchanger = 20 bigsky.net.amerion.mail6.psmtp.com.
bigsky.net mail exchanger = 30 bigsky.net.amerion.mail7.psmtp.com.
bigsky.net mail exchanger = 10 bigsky.net.amerion.mail5.psmtp.com.
We can test any of those mailservers (they all should behave the same) in the following way:
telnet bigsky.net.amerion.mail5.psmtp.com 25
Trying 64.18.5.10...
Connected to bigsky.net.amerion.mail5.psmtp.com.
Escape character is '^]'.
220 Postini ESMTP 157 y6_8_11c0 ready. CA Business and Professions
Code Section 17538.45 forbids use of this system for unsolicited
electronic mail advertisements.
helo whatever.com
250 Postini says hello back
mail from: someone@whatever.com
250 Ok
rcpt to: swall@bigsky.net
550 unknown user
The last response tells us that the Admin Contact's email address is up for grabs.

All of the above could be encapsulated into a fairly simple script capable of being fed a long list of domain names (or dictionary words ending in ".com") that an attacker would like to steal, extracting the email address of the Admin Contact using a little WHOIS and regular expression action, then another regex to parse out the domain name of that email address, then a lookup to pull the MX for that email address' domain, and then a little socket programming to test that MX to see if that email address is still valid. An attacker who has written the above program could have a list of 1000 popular domain names that are ripe for hijacking, overnight.

For any email addresses at public internet service providers that are invalid, all one need do to own that address is go to that ISP's website and sign up for an account. In our example, I signed up with Amerion over the phone for a $9.95/month account. Five minutes later I was receiving mail addressed to "swall@bigsky.net" through Amerion's handy webmail system. Two minutes after that (and after changing the email address listed as Admin Contact on the registration), I was canceling the account over the phone with a nice Amerion rep who did not inquire further into why I needed the service for less than 10 minutes.

Anyone could do the same with any unoccupied email address at any public internet service provider.

Being able to receive that email meant that I could receive Network Solutions' automated password recovery messages, and as soon as that happened, I had control over this domain. Lucky for this organization, they asked me to provide them with this service.

However, for all the thousands of other organizations out there with stale contact information on their domain registrations, and the chunk of those unlucky enough to have the Admin address be unoccupied space at a public provider, anyone with a stolen credit card number can deface your website, intercept your company's email, or even sell your domain name for a tidy sum to an innocent third party.

For those readers feeling uneasy about my publishing such exploits, I recommend reading the rationale of "full disclosure" and how publication actually improves security: http://www.schneier.com/crypto-gram-0702.html#4

Admittedly, though, this really is not a case of Network Solutions or any other registrar leaving a security hole in the domain registration system. Rather, this vulnerability of some registrations is really a product of the convenience demanded by consumers who are just not very well-versed in maintaining integrity or security of sensitive data.